Fix validation problem that occurs when a user tries to deactivate their account or change their password. (#13563)

2024-06-02 10:48:56 +02:00 · 2022-08-19 11:03:29 +00:00 · 2022-08-19 11:03:29 +00:00 · 3a245f6cfe
parent 2c42673a9b
commit 3a245f6cfe
3 changed files with 19 additions and 3 deletions
--- a/changelog.d/13563.feature
+++ b/changelog.d/13563.feature
@ -0,0 +1 @@
+Improve validation of request bodies for the following client-server API endpoints: [`/account/password`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpassword), [`/account/password/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpasswordemailrequesttoken), [`/account/deactivate`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountdeactivate) and [`/account/3pid/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3account3pidemailrequesttoken).
--- a/synapse/rest/client/account.py
+++ b/synapse/rest/client/account.py
@ -196,7 +196,7 @@ class PasswordRestServlet(RestServlet):
                params, session_id = await self.auth_handler.validate_user_via_ui_auth(
                    requester,
                    request,
-                    body.dict(),
+                    body.dict(exclude_unset=True),
                    "modify your account password",
                )
            except InteractiveAuthIncompleteError as e:
@ -219,7 +219,7 @@ class PasswordRestServlet(RestServlet):
                result, params, session_id = await self.auth_handler.check_ui_auth(
                    [[LoginType.EMAIL_IDENTITY]],
                    request,
-                    body.dict(),
+                    body.dict(exclude_unset=True),
                    "modify your account password",
                )
            except InteractiveAuthIncompleteError as e:
@ -316,7 +316,7 @@ class DeactivateAccountRestServlet(RestServlet):
        await self.auth_handler.validate_user_via_ui_auth(
            requester,
            request,
-            body.dict(),
+            body.dict(exclude_unset=True),
            "deactivate your account",
        )
        result = await self._deactivate_account_handler.deactivate_account(
--- a/tests/handlers/test_deactivate_account.py
+++ b/tests/handlers/test_deactivate_account.py
@ -322,3 +322,18 @@ class DeactivateAccountTestCase(HomeserverTestCase):
                )
            ),
        )
+
+    def test_deactivate_account_needs_auth(self) -> None:
+        """
+        Tests that making a request to /deactivate with an empty body
+        succeeds in starting the user-interactive auth flow.
+        """
+        req = self.make_request(
+            "POST",
+            "account/deactivate",
+            {},
+            access_token=self.token,
+        )
+
+        self.assertEqual(req.code, 401, req)
+        self.assertEqual(req.json_body["flows"], [{"stages": ["m.login.password"]}])
				`@ -0,0 +1 @@`
				Improve validation of request bodies for the following client-server API endpoints: [`/account/password`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpassword), [`/account/password/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpasswordemailrequesttoken), [`/account/deactivate`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountdeactivate) and [`/account/3pid/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3account3pidemailrequesttoken).